Microsoft Threat Intelligence exposes a malvertising campaign exploiting GitHub, Discord, and Dropbox. Discover the multi-stage attack chain, the use of LOLBAS, and the various malware payloads. Get detailed analysis, IOCs, and mitigation recommendations.
Microsoft’s Threat Intelligence team has recently dismantled a large-scale malvertising campaign that impacted nearly one million devices worldwide. The primary targets were Windows systems running various browsers, including Chrome and Edge and it impacted a wide range of organizations, from individual users to large enterprises, which demonstrates its widespread impact.
Tracked under the name Storm-0408, this campaign was discovered in December 2024 and involved a multi-stage attack chain. According to Microsoft’s research report, shared with Hackread.com, the attack originated from illegal streaming websites where the attackers utilized compromised GitHub repositories to distribute malware as well as Discord and Dropbox for hosting some payloads. The malicious GitHub repositories have since been removed.
Users were initially redirected from illegal streaming sites, which embedded malicious advertisements within video frames “to generate pay-per-view or pay-per-click revenue,” leading to intermediate websites. These websites then redirected users to GitHub, where the first-stage malware payloads were hosted.
These repositories served as a launchpad for deploying additional malware and scripts. The initial malware established a foothold on the compromised devices, enabling the deployment of subsequent payloads – designed to collect system information and exfiltrate documents and data from the affected systems.
The initial access payloads on GitHub were typically obfuscated JavaScript files that initiated the download and execution of further malware. The attack chain consisted of multiple stages, each with specific objectives as Microsoft explained in this image:
The first-stage payload, hosted on GitHub, acted as a dropper for the second-stage files. These files were used for system discovery, collecting information such as memory size, graphics details, screen resolution, operating system, and user paths. This data was then Base64-encoded and exfiltrated to a command-and-control (C2) server. A typical redirection chain might look like this:
illegalstreamingsite.com/movie.html -> malvertisingredirector.com/redirect.php -> intermediarysite.net/landing.html -> github.com/malicioususer/malware.js.
Depending on the second-stage payload, various third-stage payloads were deployed, which conducted additional malicious activities, including C2 communication, data exfiltration, and defence evasion techniques.
The attackers also utilized legitimate tools and scripts, and most importantly a technique known as “living-off-the-land binaries and scripts” (LOLBAS), to blend in with normal system activity. For example, one common tactic was to inject malicious code into the legitimate RegAsm.exe process to establish C2 connections and exfiltrate data.
The campaign employed a modular approach, with each stage dropping another payload with distinct functions including system discovery, credential theft, and data exfiltration. Persistence was achieved through modifications to the registry and the creation of shortcut files in the Windows Startup folder.
The prompt collaboration between Microsoft and GitHub in taking down malicious repositories highlights the importance of industry cooperation in combating cyber threats.
Microsoft has provided detailed recommendations to mitigate the impact of this threat, including strengthening Microsoft Defender for Endpoint configurations, enhancing operating environment security, and implementing multi-factor authentication.
Ensar Seker, Chief Security Officer at SOCRadar commented on the latest development stating, “The attackers used geofencing, device fingerprinting, and cloaking techniques to evade detection, which means the malicious payload is only delivered to targeted users, making it harder for security solutions to track and mitigate the campaign.”
“This campaign is likely part of a broader MaaS (Malware as a Service) ecosystem, where attackers use pre-built malvertising kits to distribute payloads like stealers, ransomware, and banking trojans,” Ensar added. “Malvertising has traditionally targeted Windows users, but with more professionals using macOS and Linux, we’ll see cross-platform payloads becoming more common.”
